#!/bin/sh ################### # Define variables ###################

## Public bridge holds physical interface (public IP, output gateway) PublicBridge=“vmbr0”

## WAN bridge ( holds WanNetwork ) WanBridge=“vmbr1”

## LAN bridge ( holds Lan Network ) LanBridge=“vmbr2”

## Network between hypervisor and firewall WanNetwork=“”

## Network between firewall and VMs LanNetwork=“”

## VPN network VpnNetwork=“”

## IPV4 public IP of the physical interface PublicIP=“”

## Hypervisor IP inside the WAN network HypervisorWanIP=“”

## Hypervisor IP inside the LAN network HypervisorLanIP=“”

## Firewall IP inside the WAN network FirewallWanIP=“”

## SSH Port SshPort=“xxxxx”

################### # Cleanup ###################

# Delete all the rules of every chains ( table filter ) # iptables -F iptables –flush

# Delete all the rules of every chains ( table nat ) # iptables -t nat -F iptables –table nat –flush

# Delete all the rules of every chains ( table mangle ) #iptables -t mangle -F iptables –table mangle –flush

# Delete all user-defined chains #iptables -X iptables –delete-chain

# Cleanup IPv6 policies ip6tables –policy INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP

# Cleanup IPv4 policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

################### # Chains ###################

# Create chains iptables –new-chain TCP iptables -N UDP

# Define rules on capturing UDP and TCP connexions iptables –append INPUT –protocol udp –match conntrack –ctstate NEW –jump UDP iptables -A INPUT -p tcp –syn -m conntrack –ctstate NEW -j TCP

################### # Global rules ###################

# Allow localhost #iptables -A INPUT -i lo -j ACCEPT #iptables -A OUTPUT -o lo -j ACCEPT iptables –append INPUT –in-interface lo –jump ACCEPT iptables –append OUTPUT –out-interface lo –jump ACCEPT

# Don't break current or active connections iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP iptables -A INPUT -p icmp –icmp-type 8 -m conntrack –ctstate NEW -j ACCEPT

######################## # Incoming traffic rules ########################

# Allow SSH connections iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport $SshPort -j ACCEPT

# Allow Proxmox WebUI iptables -A TCP -i $PublicBridge -d $PublicIP -p tcp –dport 8006 -j ACCEPT

######################## # Outcoming traffic rules ########################

# Allow ping out iptables -A OUTPUT -p icmp -j ACCEPT

# Allow HTTPS/HTTP iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 80 -j ACCEPT iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT # ip6tables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –dport 443 -j ACCEPT

# Allow DNS iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p udp –dport 53 -j ACCEPT

# Allow SSH iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport $SshPort -j ACCEPT

# Allow Proxmox WebUI iptables -A OUTPUT -o $PublicBridge -s $PublicIP -p tcp –sport 8006 -j ACCEPT

# Allow to access VMs from Hypervisor iptables -A OUTPUT -o $WanBridge -s $HypervisorWanIP -p tcp -j ACCEPT

########################### # Forwarding traffic rules ###########################

# Send all TCP traffic from Public IP to WAN network, except for the SSH port and Proxmox WebUI iptables -A PREROUTING -t nat -i $PublicBridge -p tcp –match multiport ! –dports $SshPort,8006 -j DNAT –to $FirewallWanIP

# Send all UDP traffic from Public IP to WAN network iptables -A PREROUTING -t nat -i $PublicBridge -p udp -j DNAT –to $FirewallWanIP

# Allow request forwarding to firewall through WAN network iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p tcp -j ACCEPT iptables -A FORWARD -i $PublicBridge -d $FirewallWanIP -o $WanBridge -p udp -j ACCEPT

# Allow request from LAN iptables -A FORWARD -i $WanBridge -s $WanNetwork -j ACCEPT

# Allow WAN network to use public IP gateway to go out iptables -t nat -A POSTROUTING -s $WanNetwork -o $PublicBridge -j MASQUERADE

